Patentable/Patents/US-11531757
US-11531757

Ransomware detection and mitigation

PublishedDecember 20, 2022
Assigneenot available in USPTO data we have
Inventorsnot available in USPTO data we have
Technical Abstract

There is disclosed in one example a computing apparatus, including: a hardware platform including a processor and a memory; a system profile store; and a ransomware detection engine including instructions encoded within the memory to instruct the processor to: detect an operation, by a process, that results in an operation on a file, wherein the operation includes newly creating the file including a file type identifier, or where the file is an existing file, changing a file type identifier for the file; querying the system profile store with a combination of the file type identifier and metadata about the file; based at least in part on the querying, determining that the process is a suspected ransomware attack; and taking a remedial action.

Patent Claims
17 claims

Legal claims defining the scope of protection, as filed with the USPTO.

2

2. The computing apparatus of claim 1, wherein at least some filename extensions follow a final dot (“.”) in a file's name.

3

3. The computing apparatus of claim 1, wherein the four-byte sequences are a first four bytes of a file.

4

4. The computing apparatus of claim 1, wherein the instructions are further to exclude a based on determining that the first filename extension for the changed file is included in an ignore list.

5

5. The computing apparatus of claim 1, wherein the instructions are further to use characters following a penultimate dot (“.”) as a filename extension.

6

6. The computing apparatus of claim 1, wherein determining that the process has changed an existing file comprises comparing a hash of the first four-byte sequence to a hash of the second four byte sequence.

7

7. The computing apparatus of claim 1, wherein the identifying information comprises a hash of a four byte sequence.

8

8. The computing apparatus of claim 1, wherein the data structure further comprises heuristic data for the computing apparatus.

9

9. The computing apparatus of claim 1, wherein the ransomware remediation action comprises isolating the computing apparatus by disabling a network interface.

10

10. The computing apparatus of claim 1, wherein the instructions are further to query a cloud security service with metadata about the computing apparatus and the process.

12

12. The one or more tangible, nontransitory computer-readable storage media of claim 11, wherein at least some filename extensions follow a final dot (“.”) in a file's name.

13

13. The one or more tangible, nontransitory computer-readable storage media of claim 11, wherein the four-byte sequences are a first four bytes of a file.

14

14. The one or more tangible, nontransitory computer-readable storage media of claim 11, wherein the instructions are further to exclude a file based on determining that the first filename extension for the changed file is included in an ignore list.

15

15. The one or more tangible, nontransitory computer-readable storage media of claim 11, wherein the instructions are further to use characters following a penultimate dot (“.”) as a filename extension.

16

16. The one or more tangible, nontransitory computer-readable storage media of claim 11, wherein determining that the process has changed an existing file comprises comparing a hash of the first four-byte sequence to a hash of the second four byte sequence.

17

17. The one or more tangible, nontransitory computer-readable storage media of claim 11, wherein the identifying information comprises a hash of a four byte sequence.

18

18. The one or more tangible, nontransitory computer-readable storage media of claim 11, wherein the data structure further comprises heuristic data for a computing apparatus.

20

20. The method of claim 19, further comprising determining that the suspicious file extension is a file type extension not found in the system profile.

Classification Codes (CPC)

Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.

Patent Metadata

Filing Date

December 12, 2019

Publication Date

December 20, 2022

Want to explore more patents?

Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.

Citation & reuse

Analysis on this page is generated by Patentable — an AI-powered patent intelligence platform. AI-generated summaries, explanations, and analysis may be reused with attribution and a visible link back to the canonical URL below. Patent abstracts and claims are USPTO public domain.

Cite as: Patentable. “Ransomware detection and mitigation” (US-11531757). https://patentable.app/patents/US-11531757

© 2026 Patentable. All rights reserved.

Patentable is a research and drafting-assistant tool, not a law firm, and does not provide legal advice. Documents we generate are drafts for review by a licensed patent attorney.